Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"server" must be an instance of URL #2202

Open
BenSaxon opened this issue Feb 4, 2025 · 2 comments
Open

"server" must be an instance of URL #2202

BenSaxon opened this issue Feb 4, 2025 · 2 comments

Comments

@BenSaxon
Copy link

BenSaxon commented Feb 4, 2025
edited
Loading

Describe the bug
When making a request using a client, I get an error:

TypeError: Failed to fetch resource metadata for <API_ENDPOINT_URI>: "server" must be an instance of URL

This is since upgrading to v1 from v.0.18

It's strange though, because sometimes the code path misses the step and thus the error isn't thrown.

The issue is happening when the idp-issuer-url arg is passed into oidc.discovery method, here: node_modules/.pnpm/@[email protected]/node_modules/@kubernetes/client-node/dist/oidc_auth.js line 91:

    async getClient(user) {
        const configuration = await oidc.discovery(user.authProvider.config['idp-issuer-url'], user.authProvider.config['client-id']);
        return new OidcClient(configuration);
    }

The first argument of oidc.discovery expects a URL object but is getting a string. And as a result it throws an error.

My kube config builder function is as follows:

export function createConfig(session: App.Session, rgFullPath?: string) {
  const kc = new k8s.KubeConfig();
  const orgId = getOrgId(session);

  const { clusterApiServerPath, namespace } = buildK8sServerContext(
    orgId,
    rgFullPath
  );

  const cluster: k8s.Cluster = {
    name: "cluster",
    server: clusterApiServerPath,
    skipTLSVerify: true
  };

  const user: k8s.User = {
    name: "user",
    authProvider: {
      name: "oidc",
      config: {
        "client-id": publicEnv.PUBLIC_KEYCLOAK_CLIENT_ID,
        "client-secret": env.KEYCLOAK_CLIENT_SECRET,
        "id-token": session.access_token,
        "idp-issuer-url": publicEnv.PUBLIC_KEYCLOAK_ISSUER_URL,
        "refresh-token": session.refresh_token
      }
    }
  };

  const context: k8s.Context = {
    name: "my-context",
    user: user.name,
    cluster: cluster.name,
    namespace
  };

  kc.loadFromOptions({
    clusters: [cluster],
    users: [user],
    contexts: [context],
    currentContext: context.name
  });

  return kc;
}

I have tried setting idp-issuer-url to be a URL but that doesn't work.

Bear in mind that this worked fine before upgrading to v1.

Client Version
1.0.0

To Reproduce

  1. Create a kube config object like above.
  2. Use the config object to create a client function and invoke a k8s endpoint using the client function.

Expected behavior

An error should display like:

TypeError: Failed to fetch resource metadata for iam.evroclabs.net/v1alpha3/ResourceGroup: "server" must be an instance of URL
    at CodedTypeError (file:///Users/bensaxon/Documents/code/monorepo/src/private/console/node_modules/.pnpm/[email protected]/node_modules/openid-client/build/index.js:44:17)
    at Module.discovery (file:///Users/bensaxon/Documents/code/monorepo/src/private/console/node_modules/.pnpm/[email protected]/node_modules/openid-client/build/index.js:146:15)
    at OpenIDConnectAuth.getClient (file:///Users/bensaxon/Documents/code/monorepo/src/private/console/node_modules/.pnpm/@[email protected]/node_modules/@kubernetes/client-node/dist/oidc_auth.js:92:42)
    at OpenIDConnectAuth.refresh (file:///Users/bensaxon/Documents/code/monorepo/src/private/console/node_modules/.pnpm/@[email protected]/node_modules/@kubernetes/client-node/dist/oidc_auth.js:82:73)
    at OpenIDConnectAuth.getToken (file:///Users/bensaxon/Documents/code/monorepo/src/private/console/node_modules/.pnpm/@[email protected]/node_modules/@kubernetes/client-node/dist/oidc_auth.js:70:21)
    at OpenIDConnectAuth.applyAuthentication (file:///Users/bensaxon/Documents/code/monorepo/src/private/console/node_modules/.pnpm/@[email protected]/node_modules/@kubernetes/client-node/dist/oidc_auth.js:55:34)
    at KubeConfig.applyAuthorizationHeader (file:///Users/bensaxon/Documents/code/monorepo/src/private/console/node_modules/.pnpm/@[email protected]/node_modules/@kubernetes/client-node/dist/config.js:444:33)
    at KubeConfig.applyOptions (file:///Users/bensaxon/Documents/code/monorepo/src/private/console/node_modules/.pnpm/@[email protected]/node_modules/@kubernetes/client-node/dist/config.js:452:20)
    at KubeConfig.applySecurityAuthentication (file:///Users/bensaxon/Documents/code/monorepo/src/private/console/node_modules/.pnpm/@[email protected]/node_modules/@kubernetes/client-node/dist/config.js:146:20)
    at KubernetesObjectApi.requestPromise (file:///Users/bensaxon/Documents/code/monorepo/src/private/console/node_modules/.pnpm/@[email protected]/node_modules/@kubernetes/client-node/dist/object.js:437:90) {
  code: 'ERR_INVALID_ARG_TYPE',
  [cause]: undefined
}
@brendandburns
Copy link
Contributor

My guess is that somehow user.authProvider.config['idp-issuer-url'] is getting overwritten sometimes because of something racy happening in your code, but that's just a guess.

It's intermittent because you get a token and it works, but then the next time through when it needs to refresh something is different.

But that's just a guess. I'm don't have a server with OIDC enabled that I can test against.

@BenSaxon
Copy link
Author

BenSaxon commented Feb 5, 2025

Thanks @brendandburns I'll look into that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brendandburns @BenSaxon